Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > UK VOIP > draytel account hack - anyone else?

Reply
Thread Tools

draytel account hack - anyone else?

 
 
tg
Guest
Posts: n/a
 
      04-12-2010
my draytel sip account has been hacked over the last 24 hours starting at
4:35pm on the 12th April and my credit has been completely used up in that
time. I've sent an email to draytel and I'm hoping they will confirm the
hack and restore my credit but I was wondering if anyone else out there has
had their draytel account hacked?

 
Reply With Quote
 
 
 
 
Gordon Henderson
Guest
Posts: n/a
 
      04-13-2010
In article <4bc3a41c$0$2521$(E-Mail Removed)>,
tg <(E-Mail Removed)> wrote:
>my draytel sip account has been hacked over the last 24 hours starting at
>4:35pm on the 12th April and my credit has been completely used up in that
>time. I've sent an email to draytel and I'm hoping they will confirm the
>hack and restore my credit but I was wondering if anyone else out there has
>had their draytel account hacked?


There appears to be large on-going hack/crack attempts on anything that
vaguely resembles an SIP server right now. I had my home/office box
attacked - a sutained attack of 200 tests/second for some 36 hours. It
originated from an Amazon EC3 host. I also know that some of my clients
have been under attack too - as well as my central peering servers.

I've also read reports of this happening all over the place - from Amazon
EC2's over the weekend, but maybe they've moved on now.

Do you know the numbers they called once they got the passwords?

Gordon
 
Reply With Quote
 
 
 
 
tg
Guest
Posts: n/a
 
      04-13-2010
>
> Do you know the numbers they called once they got the passwords?


thanks for your response Gordon.
some of the numbers that were called using my credit were:
0022462310923
0022468299222
0022462427585
0022468459504...etc

what I also noticed is that during this same hack period (the last 24 hours)
I've had about 30-odd missed calls on the display of my sip phone, and all
of them start with 00224...
I'm also spitting blood right now because draytel came back to me saying it
was basically 'my problem', they weren't going to restore my credit and that
I need to change my sip password. What a bunch of maggots. I'm now taking
the matter up with ofcom. I'm so angry with draytel over this, they just
don't give a damn.

 
Reply With Quote
 
Koos van den Hout
Guest
Posts: n/a
 
      04-13-2010
Gordon Henderson <(E-Mail Removed)> wrote in <hq18du$2u5q$(E-Mail Removed)>:
> There appears to be large on-going hack/crack attempts on anything that
> vaguely resembles an SIP server right now. I had my home/office box
> attacked - a sutained attack of 200 tests/second for some 36 hours. It
> originated from an Amazon EC3 host.


Like this one?

[Apr 10 16:45:36] NOTICE[6890] chan_sip.c: Registration from '"9999"<sip:(E-Mail Removed)>' failed for '184.73.12.46' - No matching peer found

I have 24253 entries that look like that one.

Interestingly, another asterisk I run has no recent attempts.

Koos

--
Koos van den Hout, PGP keyid DSS/1024 0xF0D7C263 via keyservers
http://www.velocityreviews.com/forums/(E-Mail Removed)4all.nl
Weather maps from free sources at
http://idefix.net/ http://weather.idefix.net/
 
Reply With Quote
 
Gordon Henderson
Guest
Posts: n/a
 
      04-13-2010
In article <hq1ssn$gof$(E-Mail Removed)4all.nl>,
Koos van den Hout <(E-Mail Removed)4all.nl> wrote:
>Gordon Henderson <(E-Mail Removed)> wrote in
><hq18du$2u5q$(E-Mail Removed)>:
>> There appears to be large on-going hack/crack attempts on anything that
>> vaguely resembles an SIP server right now. I had my home/office box
>> attacked - a sutained attack of 200 tests/second for some 36 hours. It
>> originated from an Amazon EC3 host.

>
>Like this one?
>
>[Apr 10 16:45:36] NOTICE[6890] chan_sip.c: Registration from
>'"9999"<sip:(E-Mail Removed)>' failed for '184.73.12.46' - No matching
>peer found
>
>I have 24253 entries that look like that one.


Yes, but for a different account.

>Interestingly, another asterisk I run has no recent attempts.


I run many but only one that I know of so-far been hit with this attack,
but it's only a matter of time.

Make sure you have alwaysauthreject=yes in your sip.conf file.

Gordon
 
Reply With Quote
 
alexd
Guest
Posts: n/a
 
      04-13-2010
On 13/04/10 13:05, tg wrote:

> I'm also spitting blood right now because draytel came back to me saying it
> was basically 'my problem', they weren't going to restore my credit and
> that
> I need to change my sip password. What a bunch of maggots. I'm now taking
> the matter up with ofcom. I'm so angry with draytel over this, they just
> don't give a damn.


What have Draytel done wrong, exactly?

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
18:09:23 up 4 days, 7:17, 2 users, load average: 0.03, 0.20, 0.17
It is better to have been wasted and then sober
than to never have been wasted at all
 
Reply With Quote
 
tg
Guest
Posts: n/a
 
      04-13-2010


"alexd" <(E-Mail Removed)> wrote in message
news:hq28jp$l78$(E-Mail Removed)...
> On 13/04/10 13:05, tg wrote:
>
>> I'm also spitting blood right now because draytel came back to me saying
>> it
>> was basically 'my problem', they weren't going to restore my credit and
>> that
>> I need to change my sip password. What a bunch of maggots. I'm now taking
>> the matter up with ofcom. I'm so angry with draytel over this, they just
>> don't give a damn.

>
> What have Draytel done wrong, exactly?


draytel have had a security breach into THEIR server and someone is running
amock with my paid credit. They're making out this is my problem, it's not.
I trusted them with the money I paid them, my username and password have
remained safe at my end and they've allowed my credit to be squandered by
some hacker who is obviously making numerous calls to Guinea. This is
betrayal by draytel and I'm justified in being furious, and I'm referring
the matter to ofcom.

 
Reply With Quote
 
Vicktor Whieste
Guest
Posts: n/a
 
      04-13-2010
On Tue, 13 Apr 2010 08:02:06 +0000, Gordon Henderson wrote:

> In article <4bc3a41c$0$2521$(E-Mail Removed)>, tg
> <(E-Mail Removed)> wrote:
>>my draytel sip account has been hacked over the last 24 hours starting
>>at 4:35pm on the 12th April and my credit has been completely used up in
>>that time. I've sent an email to draytel and I'm hoping they will
>>confirm the hack and restore my credit but I was wondering if anyone
>>else out there has had their draytel account hacked?

>
> There appears to be large on-going hack/crack attempts on anything that
> vaguely resembles an SIP server right now. I had my home/office box
> attacked - a sutained attack of 200 tests/second for some 36 hours. It
> originated from an Amazon EC3 host. I also know that some of my clients
> have been under attack too - as well as my central peering servers.
>
> I've also read reports of this happening all over the place - from
> Amazon EC2's over the weekend, but maybe they've moved on now.
>
> Do you know the numbers they called once they got the passwords?
>
> Gordon

It's nothing uncommon to see a log littered with this:

[2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
'"8119"<sip:(E-Mail Removed)>' failed for '89.255.8.160' - No matching peer
found
[2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
'"8120"<sip:(E-Mail Removed)>' failed for '89.255.8.160' - No matching peer
found
[2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
'"8121"<sip:(E-Mail Removed)>' failed for '89.255.8.160' - No matching peer
found
[2010-04-13 18:37:00] NOTICE[6461] chan_sip.c: Registration from
'"8122"<sip:(E-Mail Removed)>' failed for '89.255.8.160' - No matching peer
found

and tools like sipvicious make it very easy and fast to find suitable
weak targets for toll fraud. It's been happening since the beginning of
time.

What a surprise that it's Draytek's VoIP service. Toy devices, toy
services. Probably 'protected' by their own kit LOL.

Gordon, I am not sure if rate controlling connections on 5060 in iptables
would be sufficient to stop the serious hacking attempts - what are your
views?


 
Reply With Quote
 
tg
Guest
Posts: n/a
 
      04-13-2010


>
> Can you not tell your credit card company?


I don't see that working, they'll just tell me I have to sort it out with my
provider - draytel, which is proving extremely difficult. They're
stonewalling me like crazy.

 
Reply With Quote
 
alexd
Guest
Posts: n/a
 
      04-13-2010
On 13/04/10 20:08, Vicktor Whieste wrote:

> Gordon, I am not sure if rate controlling connections on 5060 in iptables
> would be sufficient to stop the serious hacking attempts - what are your
> views?


http://www.voip-info.org/wiki/view/F...)+And+Asterisk

Probably easier to permit the stuff you want and block everything else,
although that depends who/where your endpoints are.

IMO, you should do the obvious and simple things first, like setting
sensible passwords, before getting into complicated and potentially
self-DoSing stuff like fail2ban.

And run sipvicious against your own kit - no sense letting the bad guys
keep the interesting and useful tools to themselves.

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
21:08:12 up 4 days, 10:17, 2 users, load average: 0.09, 0.15, 0.11
It is better to have been wasted and then sober
than to never have been wasted at all
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Constantly engaged using Draytel Blah McBlah UK VOIP 1 08-30-2006 06:13 AM
Anyone used SPA2000 with Draytel tony p UK VOIP 0 04-07-2006 05:17 PM
Problem setting up SPA2000 & Draytel the hamiltons UK VOIP 4 02-22-2006 01:09 PM
DrayTel service relaunched Alex UK VOIP 12 12-15-2005 10:11 PM
Zoom X5v with Draytel? google@curvica.com UK VOIP 1 06-22-2005 01:56 AM



Advertisments